Issue 60

Remote vulnerability found in torrent client Transmission

Travis Ormandy discovered a vulnerability in Transmission using a DNS rebinding attack, which he explains nicely.


BlackWallet cryptocurrency site loses users’ money after DNS hijack

BlackWallet, an online wallet for the cryptocurrency Stellar, was hacked. The attacker got control of the DNS records and switched the real site with his identical one, where your coins were siphoned off once you gave your private key. About $425.000 was stolen.


Intel AMT security head's up related to physical access

The usual wisdom is that when someone has physical access to your device, you're done for anyway. But this deserves a heads up: if you have AMT enabled, make sure you change the Bios Extension password from its default 'admin', which apparently most don't. A malicious person can compromise your machine in under 30 seconds, bypassing BIOS password, Bitlocker encryption, etc, and open up your device for remote login.


Oracle addresses 237 vulnerabilities across multiple products

Most of them allowing for remote exploitation, so get them updates going.
Also, make sure your older patches are applied too. A bunch of attacks are underway where Oracle PeopleSoft and WebLogic servers are compromised to mine Monero.


Lenovo found and patched backdoor in RackSwitch and BladeCenter products

The backdoor was introduced 14 years ago at Nortel Networks, which was eventually bought by Lenovo. It's now discovered by Lenovo themselves. Fortunately the backdoor only opens under very strict and rare conditions.


Mozilla restricts all new Firefox features to HTTPS only

Any new Firefox features that are shipped in the future will only work in 'Secure contexts', meaning that they'll only work on HTTPS websites or on localhost.


GSuite releases Security Center for enterprise customers

If you run an enterprise GSuite account, this will make you happy. It's a dashboard showing things like amount of documents being shared, e-mail settings being insecure, amount of spam/phishing inbound, etc.


Bad guys getting caught

Always good to know that not everyone gets away with malicious stuff.
There were quite a few arrests/indictments this week, so I figured I'd group em up:

  • The creator of the FruitFly Mac malware, which ran for 13 years: link
  • A hacker that was part of the 'Fappening': link
  • The creator of both Cryptex (a service to scramble binaries so they aren't detected by antivirus) and (a service to test if antivirus detected your virus): link
  • The operator of LeakedSource, a service where you paid to get access to uncensored data dumps of user information: link


Stackhackr: mock malware

This might be fun to play around with. You can create your own mock malware which behaves like the real thing, just without actual damage, and see if your defences hold.


DNSFS. Store your files in others DNS resolver caches

Cool research that explores using the cache of open DNS resolvers to store files, dubbed DNSFS :-)



Automated vulnerability scans of web applications in the SDLC

Integration of web application security in the SDLC has become really important. Businesses are pushing new code to production multiple times in a day, so it is vital that security flaws are identified at source. Listen to Paul’s Security Weekly podcast discussing this, scaling up web application security, time management for penetration testers and more.